Getting Data In

How to edit inputs.conf to exclude a field before indexing?

vikas_gopal
Builder

I am using Windows Host Monitoring stanza in inputs.conf like

([WinHostMon://Service]
interval = 10
disabled = 0
type = Service)
to collect service information on the windows machine . I got following in splunk .

Type=Service
Name="AeLookupSvc"
DisplayName="Application Experience"
Description="Processes application compatibility cache requests for applications as they are launched"
Path="C:\Windows\system32\svchost.exe -k netsvcs"
ServiceType="Share Process"
StartMode="Manual"
Started=false
State="Stopped"
Status="OK"
ProcessId=0

I do not want to index Description and Path Field. Please suggest how I can achieve this.

Thanks
VG

0 Karma

Yorokobi
SplunkTrust
SplunkTrust

In your indexing tier's props.conf

[WinHostMon]
### This affects ALL WinHostMon source types for the v6+ add-on
SEDCMD-nodesc = s/([\r\n]+)Description=".+"//g
SEDCMD-nopath = s/([\r\n]+)Path=".+"//g

Or to apply to only WinHostMon's Service source

[source::service]
SEDCMD-nodesc = s/([\r\n]+)Description=".+"//g
SEDCMD-nopath = s/([\r\n]+)Path=".+"//g

dkeck
Influencer

Please accept answer, if it was helpfull.

Thank you

0 Karma

dkeck
Influencer

Hi,

there are historic questions regarding this topic , for example

https://answers.splunk.com/answers/109253/how-to-filter-or-extract-fields-before-indexing-time.html

Kind regards

Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...